Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4119
Views
0
Helpful
22
Replies

Static Nat for sending syslog messages to remote site.

Go to solution
mahesh18
Level 6
Level 6

‎05-22-2013 12:22 PM - edited ‎03-11-2019 06:47 PM

Hi Everyone,

IF we have two sites and each site has syslog server.

Site A

Syslog server  IP 192.168.50.1

ASA 1

   Site B

Syslog server IP 192.168.60.1

ASA2

for redundancy purposes ASA at  each site will send all syslog messages to syslog server at its site and also to remote site.

so ASA1 will need to send syslog messages to 192.168.50.1 and 60.1.

Syslog server is at inside interface of ASA.

so need to know if we do static nat on the ASA  will this we ok on ASA1  version 8.2*******

static(inside,outside) UDP 200.x.x.1  syslog 192.168.50.1 syslog

static(inside,outside) UDP 200.x.x.2 syslog 192.168.60.1 syslog

So what config should i do on ASA2  at site 2?

Also if i use public ip for each static NAT  then i can not use that IP for any other NAT right?

Thanks

Mahesh

Labels:
0 Helpful
22 Replies 22

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-23-2013 10:52 AM

Hi Mahesh,

You should really try to post the answers and questions here on the discussion. It gets quite confusing reading the information on 2 different places.

So if I should suggest you which steps to take regarding this Syslog setup configuration

  • Determine if the Syslog server on either side has a Static NAT or Static PAT configuration
    • Use the command "show xlate | inc "
    • On one site insert its local IP address and on the other site its syslog servers local IP address
  • If you dont see any existing NAT configurations for these Syslog servers then determine if you have spare public IP addresses available that ARE NOT in any kind of use at the moment
  • Configure typical Static NAT using the Syslog server local IP address and the spare public IP address on each site. So one Static NAT per site.
  • On each site configure the "outside" ACL so that it allows Syslog traffic sourced from the Remote Sites ASAs "outside" interface IP address
  • Configure the "logging host outside " to enable logging to the remote syslog server
  • When the configurations are done, determine if the remote sites ASAs logs are arriving to the other sites Syslog server. Do this on both sites.
  • If it doesnt work, then you have to troubleshoot and determine that the ASA is actually trying to send the syslog traffic and that the remote ASA is allowing this syslog connectiong through
  • If things work, then we can look at changing this syslog information to go through a L2L VPN connection.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-23-2013 10:54 AM

Hi Jouni,

When i do sh run static | inc public ip

it shows that it is statically mapped to syslog server at remote and local site.

So need to understand this that we use couple of public ip got from isp and map them to  internal syslog servers right?

so this setup is just for logging logs from edge device to syslog right ?

so it does not  log message to remote syslog server right?

Thanks

mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-23-2013 11:10 AM

Hi,

So you are saying that both sites ASAs have Static NAT for the the sites Syslog server? If this is correct then the Syslog server can be reached from the Internet.

After this you would have to create an ACL rule on the "outside" interface ACL to allow syslog traffic from the remote sites ASAs "outside" interface IP address to the local syslog server public IP address. You would configure ACL rules on both sites to allow the other sites ASA to send Syslog to the public IP address of that sites Syslog server.

When that is done you could enable syslogging on each sites ASA (towards the other sites syslog server)

logging host outside

And if everything is fine, you should be able getting syslog messages from both ASA to both Syslog servers

And as I said before, after we confirm that the logs are going through from each site to the other then we could move this traffic to a L2L VPN connection.

In short these very first steps purpose is to

  • Make sure that both sites have public IP address for the server configured
  • Confirm that both sites have an ACL rule that allow the syslog messages coming from the other site
  • Configure each ASA to send syslogs through the "outside" interface also to the other sites syslog server
  • Eventually move this traffic to the L2L VPN between the sites

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-23-2013 09:44 PM

Hi Jouni,

I have tested the syslog connection of both sites via the internet.

I am doing this as we have to replace the existing syslog servers thats why i have to do the setup again.

Its a new setup now with New IP addresses.

Earlier syslog messages to remote site were going Via GRE --  over IPSEC.

Currently both site are sending syslog messages to each other via the internet.

This has been tested.

Now i need to send the syslog messages internaly over the GRE tunnel.

GRE tunnel goes via IPsec between two sites.

I have changed logging host from outside to inside as traffic needs to go via IPSEC  now.

I know the Router which has GRE  tunnel and the destination IP of tunnel goes via IPSEC.

Need to know what step i should take on this ASA so that traffic goes via GRE  tunnel?

Should i define static route on ASA that to reach syslog server at each remote site we  should  go  to Router which has GRE tunnel configured?

like route inside 192.168.60.1 255.255.255.0  ?

Going to sleep now.

Thanks

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-23-2013 10:31 PM

Hi Mahesh,

I had no idea that you have a L2L VPN/GRE connection through some other routers in the network. I presumed that you had a L2L VPN connection between the ASA firewalls directly. This again naturally changes the setup completely.

Does each of your ASA have a route towards the remote syslog server yet? Are you perhaps running dynamic routing between the sites as you are using IPsec + GRE?

What is the IP address/network of the interface of the ASA that has the route (or will have the route after configured) for the remote sites syslog server?

Basically you should first confirm that each site has a route towards the other sites syslog server network. You would also have to confirm that each site as a route for the network that is connected to the ASA interface from which you want to send the syslogs to the other site.

You should be able to use the "show route" command on the ASAs and "show ip route" command on the router side to determine if the routing information needed is already there. If not, then some additions to the routing have to be made for each ASA to be able to send syslog to the other side.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-24-2013 12:52 PM

Hi Jouni,

Yes each of ASA  have a route to remote syslog server.

ITs running IPSEC+ GRE.

All setup is working fine now.

All routing  info was already there.

Many thanks for  your help on this project.

Best regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎05-24-2013 12:54 PM

Hi Mahesh,

Glad to hear its working.

Too bad there was some confusion at start about the actual network setup. Seems you had everything in place but the actual logging configurations?

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎05-24-2013 12:56 PM

Hi jouni,

I just need to change the IP on the logging configurations.

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card